CVE-2022-23227: NUUO NVRmini2 3.11 Unauthenticated User Addition and Code Execution Exploit Detailed Analysis

CVE-2022-23227 is an important security vulnerability found in NUUO NVRmini2 through version 3.11. This flaw allows an unauthenticated attacker to upload an encrypted TAR archive and adds arbitrary users due to the lack of appropriate authentication mechanisms. When this vulnerability is combined with another known flaw, CVE-2011-5325, it is possible for the attacker to execute code as root. This post will provide an in-depth analysis of CVE-2022-23227, including code snippet, links to original references, and exploitation details.

Description

The NUUO NVRmini2 software is prone to an unauthenticated user addition vulnerability. This happens when an attacker uploads an encrypted TAR archive. The system will process this TAR file, and as a result, add arbitrary users through the 'handle_import_user.php' file. This file does not properly validate the user attempting to upload the TAR archive, thus allowing the unauthorized addition of arbitrary users.

Original Reference: (https://www.cvedetails.com/cve/CVE-2022-23227/)

Exploit Details

This vulnerability can be exploited by an attacker who uploads an encrypted TAR file. The encryption potentially hides the attacker's actions from security products and monitoring tools. The attacker could take advantage of the arbitrary user addition vulnerability to gain unauthorized access and escalate privileges within the system.

When combined with another vulnerability, such as CVE-2011-5325, the file writing flaw, this could lead to a complete remote root code execution on the NVRmini2 system. The file writing vulnerability allows an attacker to overwrite arbitrary files under the web root folder, which could lead to arbitrary code execution.

Code Snippet

The following code snippet demonstrates the exploitation of the CVE-2022-23227 vulnerability.

import requests

target = 'http://IP_ADDRESS_OF_TARGET/';
tar_file = 'uploaded_encrypted_tarfile.tar'

# Exploit CVE-2022-23227
url = target + 'handle_import_user.php'
files = {'file': ('encrypted_tarfile.tar', open(tar_file, 'rb'), 'application/x-tar')}
response = requests.post(url, files=files)

if response.status_code == 200:
    print("Exploit succeeded!")
else:
    print("Exploit failed. Check your target and encrypted TAR file.")

To mitigate the risk of exploitation, the following countermeasures can be taken

- Apply appropriate authentication mechanisms to handle_import_user.php and its related functionality to prevent unauthorized access.
- Keep the NUUO NVRmini2 software up to date, ensuring the latest security patches and updates are applied.
- Limit exposure of the NUUO NVRmini2 software to the internet and secure internal networks, only allowing authorized personnel to access it.

Conclusion

CVE-2022-23227 is a significant security vulnerability affecting NUUO NVRmini2 software through version 3.11. An attacker can exploit this vulnerability by uploading an encrypted TAR archive, allowing them to add arbitrary users and potentially escalate their privileges within the system. When combined with another vulnerability such as CVE-2011-5325, an attacker can achieve root code execution on the NVRmini2 system. Practicing secure coding guidelines, regularly applying software updates, and limiting unnecessary exposure to the web will help in mitigating the risk posed by this security vulnerability.

Timeline

Published on: 01/14/2022 18:15:00 UTC
Last modified on: 01/21/2022 18:51:00 UTC